CVE-2025-70974

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-70974

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70974.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-70974

Aliases

GHSA-jm7w-5684-pvh8

Published

2026-01-09T07:16:02.677Z

Modified

2026-02-03T03:26:18.438073Z

Severity

10.0 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

Fastjson before 1.2.48 mishandles autoType because, when an @type key is in a JSON document, and the value of that key is the name of a Java class, there may be calls to certain public methods of that class. Depending on the behavior of those methods, there may be JNDI injection with an attacker-supplied payload located elsewhere in that JSON document. This was exploited in the wild in 2023 through 2025. NOTE: this issue exists because of an incomplete fix for CVE-2017-18349. Also, a later bypass is covered by CVE-2022-25845.

References

Affected packages

Git / github.com/alibaba/fastjson

Affected ranges

Type: GIT
Repo: https://github.com/alibaba/fastjson
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

28da8e194bb7bca71676bb10b9cb343653289de6

Affected versions

1.*

1.1.20

1.1.21

1.1.22

1.1.23

1.1.25

1.1.26

1.1.27

1.1.31

1.1.32

1.1.33

1.1.34

1.1.35

1.1.36

1.1.37

1.1.42

1.1.43

1.1.44

1.1.45

1.1.46

1.2.0

1.2.1

1.2.10

1.2.11_release

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.19

1.2.2

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.2.25

1.2.26

1.2.27

1.2.28

1.2.29

1.2.30

1.2.31

1.2.32

1.2.33

1.2.34

1.2.35

1.2.36

1.2.37

1.2.38

1.2.39

1.2.4

1.2.40

1.2.41

1.2.42

1.2.43

1.2.44

1.2.45

1.2.46

1.2.47

1.2.6

1.2.7

1.2.8

1.2.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-70974.json"